Privacy 10 Items You Should Address

Robert G. Parker MBA, FCA, CISA, CMC

Partner, Deloitte & Touche LLP

The Concept of Privacy

sonal information may be

defined as information about an
identifiable individual. In some
jurisdictions it does not include
the individuals name, business
title, business address or
business telephone number. In
others, the concept of informational privacy may not include
personal information used for
artistic, journalistic or domestic
purposes.

The concept of privacy is not

new. Writers and philosophers
have discussed it for many
years. It has evolved over time
as well as through cultural
influences. Privacy has become more related to an individuals circumstances, and
accordingly, is difficult to compare among cultures.
The concept of privacy in
modern society involves very
individualistic ideas that are
influenced by circumstances,
culture, and social position.
When we speak of informational
privacy
in
todays
business and political environment, we are referring to the
ability of an identifiable individual to control the collection, use
and disclosure of any recorded
information about themselves.
Recorded
information
can
extend beyond traditional hard
copy records to include electronic information as well as
audio and videotape.
While these aspects of privacy
have evolved, it was not until
the latter half of the twentieth
century that the concept of
informational privacy and the
rights of citizens to protect
themselves from undue, unwarranted, or illegal use of their
personal
information,
that
governments started to look at
enacting informational privacy
legislation.

Robert Parker, a partner in the

Toronto Office of Deloitte &
Touche, is responsible for
providing information security and
cont rol, data integrity and
personal information privacy
services to major clients. He
served on the International Board
of Directors of the Information
Audit and Control Association and
was International President in
1986 -1987. Currently, he is on
the Research Board, the Journal
Editorial Board and is Liaison to
the CICAs Specialization
Committee. He represented the
Canadian Institute of Chartered
Accountants on an ISO personal
information privacy committee,
and is currently assisting clients
assess their readiness status and
future strategy to deal with
Canadas new Personal
Information Protection (and
Electronic Documents) Act

The Concept of Pe rsonal

Information
In addressing informational
privacy, the issue of what constitutes personal information
arises. What is it? What is
personal and what is pu blic?
How do we define it? Per Robert G. Parker - 2001

While there have been many

legal cases on the broader
issue of privacy such as surveillance and bodily integrity, in
many jurisdictions the concept
of information privacy has yet to
be rigorously tested in court.
Until that time, the legislation
and
regulations must be
applied with care to ensure the
rights of the data subject to
informational
privacy
are
maintained.

Global Initiatives
One of the first organizations to
define a code of conduct, and a
standard by which personal
information should be gat hered,
stored, used, disseminated and
destroyed, occurred in 1980.
The Organization for Economic
Co-Operation and Development
(OECD) published a document
entitled, Recommendations of
the
Council
Concerning
Guidelines
Governing
the
Protection of Privacy and
Transborder Flow of Personal
Data,
enunciating
eight
personal information principles
on which almost all legislation
and directives on informational
privacy are based.
Page: 1

Perh aps the document that

accelerated the modern era of
informational privacy was the
European Unions Directive
95/46. This directive, passed
by the European Parliament
and the Council of 24 October
1995, was entitled, P rotection
Of Individuals With Regard To
The Processing Of Personal
Data And On The Free
Movement Of Such Data, and
gave member states three
years to enact legislation that
met or exceeded the guidance
provided in the Directive. The
Directive established 12 principles that member states had to
incorporate into their national
legislation
and
enact
by
October 1998. The Directive
forms the bas eline, although
member states may enact legislation that is more stringent.

The Extraterritorial Nature

of Privacy

Directive 95/46 codified a number of basic princ iples in a

useable framework.
The
Directive
contained
the
following 12 principles:

Article 25 appears to require

that if countries outside the EU
have not enacted similar legislation, or do not have agreements such as Safe Harbor or
Model Contract in place, that
personal information cannot be
transferred to that country for
processing.

Data Quality
Special Categories of
Processing
Information to be Given to the
Data Subject
Rights of Access
Data Subjects Right to Object
Confidentiality and Security of
Processing
Notification
Contents of Notification
Publicizing of Processing
Operations
Judicial Remedies, Liability
and Sanctions
Transfer of Personal Data to
Third Countries
Supervisory Authority

Items_10_Article_May2001.doc

In addition to the princ iples,

Article 25 of the Directive creates an exclusion when transferring personal information to a
country. Article 25 states:
The Member States shall
provide that the transfer to a
third country of personal
data which are undergoing
processing or are intended
for processing after transfer
may take place only if,
without prejudice to compliance with the national
provisions adopted pursuant
to the other provisions of
this Directive, the third
country in question ensures
an adequate level of
protection.

To address the EU restrictions

on transferring personal information, the United States
Federal Trade Commission
entered into a Safe Harbor
agreement with the EU in the
summer of 2000, effective
November 2000. To date, few
American
entities
have
registered.
The EU is also considering,
under Directive 29, additional
procedures
under
which
member states could exchange
personal
information
with
countries that do not have
similar legislation in place, provided that such data transfer is
in accordance with the terms of
Robert G. Parker 2001

the EU Model Contract.

Passage is targeted for the
spring of 2001 with compliance
required shortly thereafter.
Clearly, this side steps the
thorny issue of country-bycountry privacy legislation and
places the responsibility for
compliance
on
European
enti ties that export personal
information outside of the EU.
The EU Privacy Commissioner
has retained the right to audit
compliance with such contracts.
In general, the United States
has taken a very sectorial approach to privacy legislation
with a number of pieces of
legislation directed at, or incorporating, personal privacy considerations.
Legislation like
Gramm-Leach-Bliley, HIPAA,
and COPPA are focusing the
attention
of
American
businesses on the issue of
informational privacy.
In April 2000 Canada passed
the
Personal
Information
Protection
and
Electronic
Documents Act.
This Act
incorporates many of the
OECD and Directive 95/46
concepts into 10 guiding principles. The Act became effective
for a few organizations on
January 1, 2001 and will
include the personal information of all private sector entities
engaged
in
commercial
activities on January 1, 2004.

The Meaning of Privacy

Compliance
With so many legislative and
sectorial initiatives dealing with
informational privacy, becoming
and
remai ning
Privacy
Compliant presents unique
challenges. The first of which
is: With which legislation
should I comply? Fortunately,
most of the legislation is based
Page: 2

upon the OECD guidelines. The

following list, compiled from
various legislative, regulatory
and guidance documents provides a generic set of issues
that should be considered.

likely the Chief Privacy Officer.

Regardless of the title, someone should be charged with the
responsibility for informational
privacy on an enterprise-wide
basis.

Data collection must be lawful

and fair
Data must be collected for a
specific, disclosed purpose
Collection must be agreed to
by the indivi dual
Data must be accurate, timely
and relevant for the purpose
Data must not be capable of
being
used
to
allow
discrimination
Data must be protected and
secure
The individual must have the
right to access, rectify or delete
his or her personal information
Transborder data flow restrictions must safeguard the
individuals information
Restrictions on future use
and disclosure
Restrictions on retention and
destruction
Identifiable person to contact
Published information privacy
policies and procedures

This individual, supported by a

department if necessary, will be
responsible for the entitys day to-day
collection
and
processing of personal information as well as overseeing
the organization's compliance
with
informational
privacy
policies
and
regulatory
requirements. The individual or
department, and how to contact
them, should be made known,
either through publication in the
entitys marketing materials and
other information, or upon
request.

Ten Items You Should

Address
Considering the requirement for
protection of personal information, there are a number of
activities that should be undertaken. We have listed ten that
represent activities that will
assist in making your entity
Privacy Compliant.

1. Make Someone
Responsible
In Europe that person is called
the Data Controller; in Canada,
the Privacy Compliance Officer;
and in the United States, most
Items_10_Article_May2001.doc

In most privacy legislation and

regulations, the entity is responsible for personal information in its possession or
custody, including information
that has been transferred to a
third party for processing. The
privacy compliance officer is
also responsible for ensuring
the adequacy of safeguards
over information held by a third
party. Most often this can be
accomplished through contractual or other means to
ensure a comparable level of
protection while the information
is being processed by a third
party.
Finally, the privacy compliance
officer should be responsible
for ensuring appropriate informational privacy policies and
practices
are
implemented
including:
Developing procedures to
protect personal information;
Establishing procedures to
receive and respond to complaints and inquiries;

Robert G. Parker 2001

Training staff and communicating to staff information about

the organization's policies and
practices; and
Developing information to
explain
the
organization's
policies and proc edures.

2. Create a Privacy Policy

Creating, promulgating and
complying with an enterprisewide
informational
privacy
policy is essential to ensuring
that legislation, regulations and
marketplace expectations are
met.
The privacy policy should
inform employees as well as
customers, busines s partners
and others, of the enterprises
policies governing the collecting, storing, using, sharing and
destroying of personal information as well as the systems and
procedures designed to safeguard that information.
The privacy policy should form
the basis of the entitys privacy
initiatives and its communication of those initiatives
internally and externally. The
policy should include, among
others:
Reference to the entitys
structure and the individuals
(positions) responsible.
The authority of the individual
The reporting structure
The scope of the policy
Reference to specific legislation addressed by the policies
Guidance
for
specific
instances or circumstances
General terms and conditions
under which information will be
collected, stored, processed,
archived, used, disclosed and
destroyed.
Internal
procedures
for
dealing with customer or
Page: 3

employee complaints against

the privacy policy
Education and training
Customer awareness
Consent and confirmation for
the collection and use of
personal information
Accuracy of the personal
information
collected
and
retained
Safeguarding of personal
information
Dealing with court orders for
access to personal information
Dealing with other governments or legislators
In addition to the entity being
open abo ut their policies and
practices with respect to the
management
of
personal
information,
data
subjects
should be able to acquire
information about an entity's
policies and practices without
unreasonable effort.
This information should be
made available in a form that is
generally understandable. For
example, Canadian personal
information protection requires
that this information include:
The name or title, and the
address, of the person who is
accountable for the organization's policies and practices and
to whom complaints or inquiries
can be forwarded;
The means of gaining access
to personal information held by
the entity;
A description of the type of
personal information held by
the entity, including a general
account of its use and a copy of
any
brochures
or
other
information that explain the
organization's policies, standards, or codes; and
What personal information is
made available to related entity
(e.g., corporate subsidiaries).

Items_10_Article_May2001.doc

Informational privacy policies

should be reviewed on a
regular basis.
When new
legislation or regulations are
enacted, their impact should be
assessed and their requirements reflected in the entitys
personal information policies.
This will ensure continued
alignment of the policies with
legislative
and
regulatory
requirements.

3. Ensure Marketing
Materials Meet
Marketplace Privacy
Expectations
Given the need to inform
customers of what use you will
be making the personal information
you
gather,
and
obtaining their consent, it is
imperative that all customer
information, including market
material, application forms,
brochures, and agreements, in
both hard copy and on your
website
be
reviewed
for
legislative compliance.
Marketing information, including
customer brochures, forms,
applications and other systems
and documents used to collect
personal information, should be
used in accordance with the
entitys informational privacy
policies, and should ensure that
the entity:
Obtains the consent of the
data subject to collect the
information
Identifies the purpose for
which the information is being
collected and how it will be
used
Limits
the
personal
information gathered to that
which is reasonable to accomplish the business objectives of
the purpose for which the information is being collected
Robert G. Parker 2001

In addition to addressing the

marketing and other tools used
to collect personal information,
the entity should also ensure
that the computerized and
manual systems can record
and monitor the various combinations of consent, including
current use, future use, disclosure, sharing, etc., related to a
data subjects information.

4. Address the Regulatory

Issues
Regulators do matter!
It is
imperative that privacy policies
and procedures comply with the
legislation under which the
enterprise operates.
Where
the
enterprise
conducts
business in multiple jurisdictions, the policies should reflect
those of the most stringent
legislation to minimize differences in application due to
jurisdiction.
This needs to be managed
carefully, though, to avoid an
entity becoming less competitive in a particular jurisdiction
where less stringent privacy
protections are in place.
In certain cases, the regulations
in one jurisdiction may conflict
with business practices in
another, such as the case with
opt-in in Europe and opt-out
business practice commonly
found in the United States. In
such cases, care should be
taken to balance the legal
requirements with the business
practices through such techniques as different consent
forms or different procedures
for obtaining oral consent in the
various jurisdictions.

Page: 4

5. Obtain Data Subjects

Consent
Most
privacy
legislations
require that the enterprise
receives consent from data
subjects, the persons about
whom it is gathering information
prior to, or at the time of the
collection of the information.
Consent can be formal and in
writing - signing a consent
agreement; verbal - discussing
a registration form; informal - a
click on a website; or implied requesting information. In the
latter case, it may be implied
that the data subject is consenting to the entity by
recording his or her name and
address and using it to request
products.
Regardless of the form,
consent must usually be
received and should always be
documented in the enterprises
records, even if that documentation is only a note to indicate
that verbal consent has been
received.
It is important to manage
consent records thereafter to
ensure that the data subject
has consented to its use in
future mailings and other
contacts.
The process does
not stop with the initial
recording!
In most jurisdictions with informational privacy legislation, a
data subject is required to
provide consent for the collection of personal information and
the subsequent use or disclosure of this information.
Typically, an entity will seek
consent for the use or
disclosure of the information
prior to, or at the time of, its
collection. In certain circumstances, consent with respect
Items_10_Article_May2001.doc

to use or disclosure may be

sought after the information has
been collected but before use
(for example, when an organization wants to use information
for a purpose not previously
identified).
In addition, many jurisdictions
require that the data subject
also be knowledgeable of the
collection of personal information. This knowledge and
consent''
criteria
places
responsibility on the entity to
make a reasonable effort to
ensure that the data subject is
advised of the purposes for
which the information will be
used. To make the consent
meaningful, the purposes must
be stated in such a manner that
the individual can reasonably
understand how the information
will be used or disclosed.
It should be noted that in
certain circumstances personal
information might have to be
collected, used, or disclosed
without the knowledge and
consent of the individual. For
example, legal, medical, or
security reasons may make it
impossible or impractical to
seek consent prior to use.
Further, when information is
being collected for the detection
and prevention of fraud or for
law enforcement, seeking the
consent of the individual might
defeat the purpose of collecting
the information.
In other cases, seeking consent
may
be
impossible
or
inappropriate when the individual is a minor, seriously ill, or
mentally incapacitated. In addition, entities that do not have a
direct relationship with the individual may not always be able
to seek consent. For example,
seeking consent may be
impractical for a charity or a
Robert G. Parker 2001

direct-marketing
firm
that
wishes to acquire a mailing list
from another organization. In
such cases, the entity providing
the list would be expected to
obtain
consent
before
disclosing personal information.

6. Provide Access to
Personal Information
Data subjects should be provided with an opportunity to
view personal information the
enterprise maintains about
them.
Most comprehensive
informational privacy legislation
requires that, upon request, the
data subject must be informed
of the existence, use, and disclosure of his or her personal
information and must be given
access to that information. A
data subject should be able to
challenge the accuracy and
completeness of the information and have it amended as
appropriate.
This request may be very
difficult to fulfill given the likelihood that personal information
may be maintained in many
organizational units within the
entity. If it cannot be obtained
at a reasonable cost and within
a reasonable period of time, the
entity may request permission
to disclose only that information
that it can reasonably obtain.
It must be remembered that
such disclosure is not a clerical
function. The information must
be carefully reviewed to ensure
that it does not include information that contains references to
other individuals, whereby such
disclosure would violate the
other individuals privacy. Care
must be taken with info rmation
that cannot be disclosed for
legal, security, or commercial
proprietary
reasons.
In
addition, care must be taken
Page: 5

not to disclose information that

is subject to solicitor-client or
litigation privilege.

accompanied
with
good
security. Safeguards should be
appropriate to the sensitivity of
the information.

Best practices would include:

Informing the data subject
whether or not the entity holds
personal in formation about the
data subject in a timely manner.
Indicating the source, or
sources, of the information.
Permitting the data subject
access to this information in a
readable and understandable
form.
Placing restrictions on the
release of personal information,
such as requiring that medical
information held by the entity
be released through a medical
practitioner to ensure proper
interpretation.
Providing the data subject
with an account of the use that
has been made or is being
made of their personal information and an account of the third
parties to which it has been
disclosed.
One of the key security
concerns is ensuring that the
data subject is actually who
they say they are. Th e individual making the request may be
fishing for information about
the data subject by posing as
them. The entity should be
guarded and may require the
individual making the request to
provide identification and other
information, prior to releasing
information
about
the
existence, use, and disclosure
of personal information about
the data subject.

7. Ensure Effective
Security and Safeguards
It is not sufficient to have good
informational privacy polices
and procedures. They must be
Items_10_Article_May2001.doc

The security safeguards that

protect personal information
must comprehend a range of
potential events such as loss or
theft, as well as unauthorized
access, disclosure, copying,
use, or modification.
It is
important that entities protect
personal information regardless
of the format or the location in
which it is held.

required for the purpose for

which it was collected, care
should be taken in the disposal
or
destruction
of
that
information to prevent unauthorized
access
to
the
information.

8. Ensure the Accuracy of

Personal Information
Using or releasing personal
information, even when consent
has been obtained, requires
care to ensure that the
information is accurate.

Obviously, the nature of the

safeguards will vary depending
on the sensitivity of the
information that has been
collected, the amount, distribution, and format of the information, as well as the method of
storage.
More
sensitive
information should be safeguarded by a higher level of
protection.

As a best practice, personal

information should be as
complete, accurate, and up-t odate as is necessary for the
purposes for which it is to be
used. Determining accuracy,
given the rapid decay of personal information accuracy, is a
matter of judgement.

It is also important that entities

make their employees aware of
the entitys policies regarding
personal information and the
importance of maintaining the
confidentiality
of
personal
information.

However, as a general rule,

personal information should be
sufficiently accurate to minimize
the possibility that inappropriate, inaccurate, incomplete or
out of date information may be
used to make a decision about
the individual.

Various methods can be

employed to ensure the safeguarding
of
personal
information, including:
Physical
measures,
for
example, locking filing cabinets
and restricting access to
offices;
Organizational measures, for
example, security clearances
and limiting access on a needto-know'' basis; and
Technological measures, for
example, the use of passwords
and encryption.
Finally, when the personal
information is no longer
Robert G. Parker 2001

Accuracy of personal information raises another issue of

whether to periodically update
files
containing
personal
information (this may be the
most effective means to ensure
that information in large databases is current), or to update
them as required on a case-bycase basis. Many jurisdictions
stipulate that personal information shall not be routinely
updated unless such a process
is necessary to fulfil the
purposes
for
which
the
information was originally collected.
This may require
changes to incorporate ad hoc
Page: 6

updating and related changes

to systems and procedures.

elimination of single records

about a particular data subject.

However,
the
converse
situation also arises in that personal information that is used
on an ongoing basis, including
information that is disclosed to
third parties, should generally
be accurate and up-to-date,
unless limits to the requirement
for accuracy are clearly set out.
Clearly the accuracy principle
may
require
changes
to
business practices.

Retention is another si sue that

must be addressed.
Many
countries have adopted privacy
legislation requiring personal
information to be retained only
as long as necessary for the
fulfilment of those purposes.
Again, legal counsels involvement early in the process can
save thousands of dollars, or
worse still, prevent the inability
to use information already
collected.

9. Limit the Use,

Disclosure and Retention
of Personal Information

Best practices suggest that

entities develop guidelines and
implement procedures with
respect to the retention of personal information. These guidelines should include minimum
and
maximum
retention
periods. Personal information
that has been used to make a
decision about a data subject
should be retained long enough
to allow the data subject access
to the information after the
decision has been made.

Associated with ensuring the

accuracy of the n
i formation, is
the requirement to limit its use,
disclosure and retention. Many
countries require that personal
information only be used or
disclosed for the purpose for
which it was collected. While
there are exceptions, most
require the data subject to give
consent for additional use.
Retroactively obtaining consent
is often time consuming,
expensive
and
sometimes
impossible to obtain within a
reasonable period.
Clearly, large databases, and
the applications that access
personal information stored on
them, will have to change to
reflect these realities. Having
the personal information does
not necessarily convey the right
to use it as you will.
It also speaks volumes for
having legal counsel involved in
drafting the privacy clauses that
address the original collection
of that information. Further,
some storage techniques such
as CDROM, DVD, microfiche
and microfilm do not allow the
Items_10_Article_May2001.doc

Clearly retention of personal

information raises significant
issues. How long is sufficient?
Will the entity be able to
adequately protect itself in
employment equity litigation if
they destroy the applications of
unsuccessful candidates once
the position has been filled?
What are the penalties for
keeping the information? Is
the entitys purpose statement
broad enough to allow it to
address reasonable business
uses?

10. Train Personnel

Involved in Customer
Activities

adequately trained in the policies,

procedures
and
implementation considerations.
They may also require training
in
dealing
with
difficult
situations.
Personal information can be a
very touchy subject. Individual
feelings
on
the
issues
surrounding the collection, use
and disclosure of personal
information run high. Front line
personnel are frequently required to enforce or explain
what the data subject may
interpret
as
unreasonable
demands
for
information.
Adequate training will ensure
the entitys customers and
clientele have trust in the way
the information will be handled
and confidence in its subsequent use or disclosure.

Summary
Informational privacy is not a
new concept. It is, however, for
some entities, a new way of
conducting business.
There
will
be
fallout.
Some
businesses that survive by
trading on personal information
may have to change their
modus operandi.
However,
change they must.
As we enter the 21st Century,
we are entering a world with a
new economic order, a global
economy, and reliance on
products and services born
through digital evolution. New
rules of the road are being
written. Privacy is one of them.
In fact, informational privacy
may the price of entry to the
global economy.

The introduction of informational privacy initiatives requires

that the entitys personnel be
Robert G. Parker 2001

Page: 7